You are at the newest post.Click here
to check if anything new just came in.

August072013

21:55

A quick summary on the "0-day against Tor" brouhauha

It was recently announced that "the FBI" had apparently used a "0-day" exploit against people using Tor, with subsequent explosions of comments from the usual privacy advocates.

While I'm all for privacy advocacy, at times we shouldn't let our preconceived notions get the better of us. So let's look at the available data here.

On Aug. 4th the Tor people were advised of something gone awry. Hidden services from an organization called "Freedom Hosting" were unreachable, and apparently, someone had exploited the software used on them to deploy this malicious Javascript in the web pages it delivered to users. An advisory was released shortly thereafter.

Now, Freedom Hosting services include TorMail (a very secure anonymous email operation); hacking and fraud forums such as HackBB; money laundering operations; the Hidden Wiki (sort of a Dark Net wikipedia...); and virtually all of the most popular child pornography websites on the planet. A Freedom Hosting account cost a one time fee of $5, offered unlimited space and bandwidth, an onion domain, PHP and MySQL support, FTP access, and even backups (!). A large number of hidden websites were hosted by Freedom Hosting, so it's easy to see how the "attack against Tor users" generalization was borne.

By analyzing the code (see the excellent writeups here and here) we can observe a number of things.

First of all, this was an attack exploiting a known vulnerability in an older version of the Firefox JavaScript engine. Specifically, this older version was present in some of the Tor Browser Bundle (TBB) versions. TBB includes Firefox plus some privacy patches.

For the sake of documentation, I will note that this was fixed in Firefox 17.0.7 ESR, and in TBB 2.3.25-10 (plus several of the alphas and the betas). Fixes were available for TBB since June 26th.

So, whoever was affected after June 26th, was affected because they didn't patch their software, this was no zero-day by the time this attack came to light.

Additionally, the exploit was targeted to Windows users, while the Firefox vulnerability is cross-platform.

What the payload does is it connects to 65.222.202.54:80 and sends an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash.

So, what happened is that through compromising one or more hidden services, the unknown attacker collected at that IP address a list of the vulnerable users that accessed that/those services.

The payload does not open a backdoor or install other stuff, so this is very unlikely to be a black hat operation. It looks much more like a tracking mechanism, so it's not a bad guess that this is law enforcement or three-letter-agency activity. It actually sounds suspiciously like CIPAV, the FBI malware we know about from 2007.

Around the same time, a guy named Eric Marques was arrested and is awaiting extradition on FBI's request for facilitating the exchange of child porn. There's no direct link so far, but it's easy to believe that Marques is the founder of Freedom Hosting, and these two operations are related: However, we may wish to be cautious on saying this is what happened.

Interestingly, a couple of years back Anonymous did dismantle for a few hours Freedom Hosting (operation Darknet), under the lead of Sabu, back then an important member of Anonymous, afterwards disclosed as an FBI informant. Since his turning to informant is dated in August 2011 and the operation against Freedom Hosting is dated in October, there's been speculation of that being the first FBI led operation against the network. But this is really a wild shot in the dark.

We shouldn't also believe that child porn is such a large component of the Tor traffic. The curious reader may wish to check some statistics on what is actually hosted on the Dark Net.

What is pretty funny, or sad, are the suggestions given to Tor users to avoid falling into a similar trap in the future. Besides the obvious "keep up-to-date your software", another suggestion from fairy-crypto-lands is "disable Javascript" (try on your own and let me know how many websites you are able to browse after that) - and also, while you are at it, "css, svg, XML"... Other suggestions included "randomizing your MAC address" (I can see Windows users out there doing just that!), and "install various firewalls" (which in this case would have surely helped, right?).

Another suggestion was to use Tails, a live distribution of Linux with Tor and privacy software preinstalled. Which is precisely the best way to keep software up-to-date, right?

I think the Tor community should face, and have users face, the sad reality. It is impossible to safely use Tor to browse common websites without risking an attack of this kind (because it is basically impossible to use ordinary websites with Javascript-and-everything-else-disabled). This was terribly effective and used a month-old vulnerability. Just go figure what would happen with a zero-day. Also, while using Tails per se is a good suggestion (because in this way you compartmentalize privacy browsing from data and systems used in non-private browsing) this wouldn't really help in this scenario (except for the fact that this specific payload was Windows based, but there's no reason for that except the fact that a vast majority of the interesting subjects were using Windows).

If you have a real need to go anonymous, you need to implement good opsec, as my friend Grugq is demonstrating here (slides here).